Tag Archives: security

I just saw Bruce Schneier’s blog post on a ruling I’m glad to see- a US District Court, in a ruling last month, that TSA is authorized to search for weapons and explosives, and nothing more. Fake passports taken from a passenger in the case were tossed out as evidence.

“The extent of the search went beyond the permissible purpose of detecting weapons and explosives and was instead motivated by a desire to uncover contraband evidencing ordinary criminal wrongdoing,” Judge Marbley wrote.

It will be interesting to see if there are moves to better train the TSA screeners in the future, or a legislative reaction expanding the powers granted. (um, how far away is that mid-term election again…? :-)

The East Germans are now more free than we are, at least in terms of law and administrative practice in such areas as surveillance and data collection. Thirty years ago, they had the Stasi. Today, Britain has such broadly drawn and elastic surveillance laws that Poole borough council could exploit them to spend two weeks spying on a family wrongly accused of lying on a school application form.

I’ve passed through Amsterdam’s Schiphol Airport a few times in my travels. Unbeknownst to me, I have been experimented on each time…

The flies in the men’s-room urinals of the Amsterdam airport have been enshrined in the academic literature on economics and psychology. The flies — images of flies, actually — were etched in the porcelain near the urinal drains in an experiment in human behavior.
After the flies were added, “spillage” on the men’s-room floor fell by 80 percent. “Men evidently like to aim at targets,” said Richard Thaler of the University of Chicago, an irreverent pioneer in the increasingly influential field of behavioral economics.

That’s pretty cool. I never knew this. This is the sort of thinking we need more of in tackling user-facing security problems. The biggest challenges aren’t math- people are the weak point in any system. If we can nudge people into doing the right thing, in any discipline, and amuse them along the way, we’ll have done the world a service.

James Duncan Davidson describes his frightening experience with “A Postmodern Crime at TED2009“. Davidson, a professional photographer, was assaulted outside the conference by someone demanding his pass. I think it’s interesting to note that it was an “all-access pass to the show and to its attendees”.

I’ve put some thought over the last year or so into “personal threat modeling”, and have knocked around ideas for a presentation of some sort with friends.

What can we know about how very specific behavior exposes us to new threats? My context is as a technologist, and so the threat includes my personal technology, and the information/data I have spread between myself and my various toys.

Suppose that I wanted to steal information on Black & Decker’s latest electric screwdriver design. I might do my homework, and see when a B&D employee from their design group was giving a conference presentation, possibly easy task given that conference schedules are usually online. This might tell me useful things, like:

Who my target is, often with a brief bio that may give me other useful intelligence.

Where they will be at a specific time.

Bonus: When they will have their laptop with them.

My challenge at this point, is to get into the conference and separate him from his laptop. Many opportunities exist in such high-distraction environments, and an all-access pass only makes this much, much easier. (For example, the “Speaker’s Lounge” is usually deliberately off in some quiet corner of the facility.)

Stealing such a laptop, with whatever email or other info I might find, is obviously just one sort of motive. I can imagine an attacker having a variety of goals that might make it well worth the time and risk of physically assaulting someone, particularly someone bearing a particularly privileged access pass. Industrial espionage is just the start of a long list of evil possibilities here.

The crave blog over at CNET news has a great post on a Hanoi entrepreneur’s cell phone service/repair shops, and the brisk business they are doing unlocking 3G iPhones. If this sounds boring, you are probably not familiar with the process necessary to unlock this particular phone:

The technician then extracted the baseband chip, the component that controls the connection between the phone and the mobile network, from the motherboard. (This is a painstaking task as the chip is strongly glued to the phone’s motherboard. A mistake during this process could brick the phone completely.)

Once the chip was extracted, it was Tuan Anh’s turn. He used a chip reader to read information into a file. He then used a Hex editor to remove the locking data from the file, and after that, the chip got reprogrammed with the newly altered file. Now it was no longer programmed to work with only a specific provider.

Pretty hard-core. Once the soldering irons come out, you have left the Mall kiosks behind…

Hat tip to Perry Metzger and the cryptography list for the link, and the reminder that, given proper motivation, people will do unexpected and unauthorized things with technology. Assuming otherwise usually fails.

Systems responsible for digitally signing binary distributions are an obviously high-value targets for attackers. Red Hat recently detected such an intrusion, and it was determined that the intruder was able to sign a small number of OpenSSH packages. (Red Hat has released a script to detect the affected packages)

I haven’t seen an analysis yet, but you have to assume those packages have a high probability of malicious intent…

eWeek has a good overview, Red Hat Digital Keys Violated by Intruder, and related coverage is easy to find. This is a good example of the PR and systems impact of such breeches, and an excellent reminder that our notion of “malicious insider” has to include the people trusted by the people we trust. (or the systems trusted by the systems we trust)